From owner-cvs-all Thu Oct 5 18:26:27 2000 Delivered-To: cvs-all@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 78AC237B502; Thu, 5 Oct 2000 18:26:22 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 0BF831C66; Thu, 5 Oct 2000 21:26:22 -0400 (EDT) Date: Thu, 5 Oct 2000 21:26:21 -0400 From: Bill Fumerola To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.c src/sys/netinet ip_fw.c ip_fw.h Message-ID: <20001005212621.U38472@jade.chc-chimes.com> References: <200010020303.UAA99196@freefall.freebsd.org> <20001005202924.A63643@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001005202924.A63643@sunbay.com>; from ru@FreeBSD.org on Thu, Oct 05, 2000 at 08:29:24PM +0300 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Oct 05, 2000 at 08:29:24PM +0300, Ruslan Ermilov wrote: > > Add new fields for more granularity: > > IP: version, tos, ttl, len, id > > TCP: seq#, ack#, window size > > > What is the purpose of having the following modifiers? > - ipversion (ipfw will only be passed IPv4 packets) Even in the bridge case? If ipfw won't ever see anything but ipv4 packets that are bridged (I admit I didn't really look into this too much), then by all means back that part out. > - ipid > - tcpseq > - tcpack > How these can be really useful? I think they should be dropped. Let me assure you that these are useful for dropping attacks from poorly coded DDoS programs. > The current implementation of iplen, ipttl and tcpwin modifiers > does not seem interesting, because comparison is only limited to > equality. I think they should be modified to accept the range > of values, specified by lowest and highest boundaries, so one > could specify `iplen 20-50' (20 <= iplen <= 50), `ipttl 0-5' > (ipttl <= 5), etc. The ipfw grammar, for lack of a better way to describe it, sucks ass. There are _lots_ of fields that would benefit by the ability for lt, gt, eq, etc... I have every intention of looking at what BSD/os has done to ipfw to expand the grammar (I know they have) and try and bring our ipfw along side theirs. I have lots of plans for new functionality and even have a fair amount of them already coded (*plug* attend my talk at bsdcon, and you'll see them[1] *plug*) > > Bill, I have finished updating the manual, but do not want to > commit the change before you answer my questions above. > Many thanks, I have no mdoc ability whatsoever and envy those who do. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org 1. My talk/slides/code/etc will be publically available after the talk as well, obviously everyone can't go to bsdcon for various reasons. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message